DOCSLIB.ORG

Code-Red: a Case Study on the Spread and Victims of an Intemet Worm

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Code-Red: a Case Study on the Spread and Victims of an Intemet Worm Code-Red: a case study on the spread and victims of an Intemet worm David Moore, Colleen Shannon, k claffy Abstractm On July 19, 2001, more than 359,000 comput- I. INTRODUCTION ers connected to the Internet were infected with the Code- At 18:00 on November 2, 1988, Robert T. Morris re- Red (CRv2) worm in less than 14 hours. The cost of this epidemic, including subsequent strains of Code-Red, is es- leased a 99 line program onto the Internet. At 00:34 on timated to be in excess of $2.6 billion. Despite the global November 3, 1988, Andy Sudduth of Harvard University damage caused by this attack, there have been few seri- posted the following message: "There may be a virus loose ous attempts to characterize the spread of the worm, partly on the Internet?' Indeed, Sun and VAX machines across due to the challenge of collecting global information about the country were screeching to a halt as invisible tasks uti- worms. Using a technique that enables global detection of lized all available resources [1] [2]. worm spread, we collected and analyzed data over a period No virus brought large computers across the country to of 45 days beginning July 2nd, 2001 to determine the charac- teristics of the spread of Code-Red throughout the Internet. a standstill - the culprit was actually the first malicious worm. Unlike viruses and trojans which rely on human In this paper, we describe the methodology we use to trace the spread of Code-Red, and then describe the results of our intervention to spread, worms are self-repficating software trace analyses. We first detail the spread of the Code-Red designed to spread throughout a network on their own. Al- and CodeRedH worms in terms of infection and deactiva- though the Morris worm was the first malicious worm to tion rates. Even without being optimized for spread of infec- wreak widespread havoc, earfier worms were actually de- tion, Code-Red infection rates peaked at over 2,000 hosts per signed to maximize utilization of networked computation minute. We then examine the properties of the infected host resources. In 1982 at Xerox's Palo Alto Research Cen- population, including geographic location, weekly and diur- ter, John Shoch and Jon Hupp wrote five worm programs nal time effects, top-level domains, and ISPs. We demon- strate that the worm was an international event, infection ac- that performed such benign tasks as posting announce- tivity exhibited time-of-day effects, and found that, although ments [3]. However, research into using worm programs most attention focused on large corporations, the Code-Red as tools was abandoned after it was determined that the worm primarily preyed upon home and small business users. consequences of a worm malfunction could be dire. We also qualified the effects of DHCP on measurements of In the years between the Morris worm in November infected hosts and determined that IP addresses are not an 1988 and June 2001, Several other worms achieved tim- accurate measure of the spread of a worm on fimescales ited spread through host populations. The WANK (Worms longer than 24 hours. Finally, the experience of the Code- Red worm demonstrates that wide-spread vulnerabilities in Against Nuclear Killers) worm of October, 1989 attacked Internet hosts can be exploited quickly and dramatically, SPAN VAX/VMS systems via DECnet protocols [4]. The and that techniques other than host patching are required Ramen worm, first spread in January of 2001 targeted the to mitigate Internet worms. wu-ftp daemon on RedHat Linux 6.2 and 7.0 systems [5]. Keywords--Code-Red, Code-RedI, CodeRedI, CodeRedH, Finally, the Lion Worm targeted the TSIG vulnerability in worm, security, backseatter, virus, epidemiology BIND in March of 2001 [6]. While all of these worms caused some damage, none approached the $2.6 billion cost of recovering from the CAIDA, San Diego Supercomputer Center, University of California, Code-Red and CodeRedlI worms [7]. We can no longer af- San Diego. E-mail: {cshannon, dmoore, kc}@caida, org. Support for this work is provided by DARPA NMS Grant N66001- ford to remain ignorant of the spread and effects of worms 01-1-8909, NSF grant NCR-971 I092, Cisco Systems URB Grant, and as information technology plays a critical role in our global Caida members. economy. Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee pro~ed that copies are not made or distributed for profit or commercial advantage and that II. BACKGROUND copies bear this notice and the full citation on the first page. To copy otherwise, to rep0blish, to post on servers or to redistribute to lists, On June 18, 2001, eEye released information about requires prior specific permission and/or a fee. a buffer-overflow vulnerability in Microsoft's IIS web IMW'02, Nov. 6-8, 2002, Marseille, France Copyright 2002 ACM ISBN 1-58113-603-X/02/0011 ...$5.00 servers [8]. Microsoft released a patch for the vulnera- bility eight days later, on June 26, 2001 [9]. Then on July 273 12, 2001, the Code-RedI worm began to exploit the afore- probing random IP addresses and infecting all hosts vul- mentioned buffer-overflow vulnerability in Microsoft's IIS nerable to the IIS exploit. Unlike Code-RedI vl, Code- web servers. RedI v2 uses a random seed in its pseudo-random number Upon infecting a machine, the worm checks to see if the generator, so each infected computer tries to infect a differ- date (as kept by the system clock) is between the first and ent list of randomly generated IP addresses at an observed the nineteenth of the month. If so, the worm generates a rate of roughly 11 probes per second (pps). This seemingly random list of IP addresses and probes each machine on minor change had a major impact: more than 359,000 ma- the list ia an attempt to infect as many computers as pos- chines were infected with Code-RedI v2 in just fourteen sible. However, this first version of the worm uses a static hours [10][11]. seed in its random number generator and thus generates Because Code-RedI v2 is identical to Code-Red vl in identical lists of IP addresses on each infected machine. all respects except the seed for its pseudo-random num- The first version of the worm spread slowly, because each ber generator, the only direct damage to the infected host infected machine began to spread the worm by probing is the "Hacked by Chinese" message added to top level machines that were either already infected or impregnable. web pages on some hosts. However, Code-RedI v2 had a On the 20th of every month, the worm is programmed to greater impact on global infrastructure due to the sheer vol- stop infecting other machines and proceed to its next at- ume of hosts infected and probes sent to infect new hosts. tack phase in which it launches a Denial-of-Service attack Code-RedI v2 also wreaked havoc on some additional against wwwl. whitehouse, gov from the 20th to the devices with web interfaces, such as routers, switches, 28th of each month. The worm is dormant on days of the DSL modems, and printers [12]. Although these devices month following the 28th. were not susceptible to infection by the worm, they either On Jtd!y 13th, Ryan Permeh and Marc Maiffret at eEye crashed or rebooted when an infected machine attempted Digital Security received logs of attacks by the worm and to send them the unusual http request containing a copy of worked through the night to disassemble and analyze the the worm. worm. They christened the worm "Code-Red" both be- Like Code-RedI v 1, Code-RedI v2 can be removed from cause the highly caffeinated "Code Red" Mountain Dew a computer simply by rebooting it. However, reboofing the beverage fueled their efforts to understand the workings machine does not prevent reinfection once the machine is of the worm and because the worm defaces some web online again. On July 19th, the number of machines at- pages with the phrase "Hacked by Chinese". There is no tempting to infect new hosts was so high that many ma- evidence either supporting or refuting the involvement of chines were infected while the patch for the vulnerability Chinese hackers with the Code-RedI worm. The first ver- was being applied. sion of rite Code-Red worm (Code-RedI v 11) caused little On August 4, 2001, an entirely new worm, CodeRedlI damage. Although the worm's attempts to spread itself began to exploit the buffer-overflow vulnerability in Mi- consumed resources on infected machines and local area crosoft's HS web servers [13] [14]. Although the new networks, it had little impact on global resources. worm is completely unrelated to the original Code-RedI The Code-RedI vl worm is memory resident, so an in- worm, the source code of the worm contained the string fected machine can be disinfected by simply rebooting it. "CodeRedlI" which became the name of the new worm. However, the machine is still vulnerable to repeat infec- Ryan Permeh and Marc Maiffret analyzed CodeRedlI tion. Any machines infected by Code-RedI vl and sub- to determine its attack mechanism. When a worm infects sequently rebooted were likely to be reinfected, because a new host, it first determines if the system has already each newly infected machine probes the same list of IP been infected. If not, the worm initiates its propagation addresses in the same order.
Load more

Recommended publications
  • Post-Mortem of a Zombie: Conficker Cleanup After Six Years Hadi Asghari, Michael Ciere, and Michel J.G
    Post-Mortem of a Zombie: Conficker Cleanup After Six Years Hadi Asghari, Michael Ciere, and Michel J.G. van Eeten, Delft University of Technology https://www.usenix.org/conference/usenixsecurity15/technical-sessions/presentation/asghari This paper is included in the Proceedings of the 24th USENIX Security Symposium August 12–14, 2015 • Washington, D.C. ISBN 978-1-939133-11-3 Open access to the Proceedings of the 24th USENIX Security Symposium is sponsored by USENIX Post-Mortem of a Zombie: Conficker Cleanup After Six Years Hadi Asghari, Michael Ciere and Michel J.G. van Eeten Delft University of Technology Abstract more sophisticated C&C mechanisms that are increas- ingly resilient against takeover attempts [30]. Research on botnet mitigation has focused predomi- In pale contrast to this wealth of work stands the lim- nantly on methods to technically disrupt the command- ited research into the other side of botnet mitigation: and-control infrastructure. Much less is known about the cleanup of the infected machines of end users. Af- effectiveness of large-scale efforts to clean up infected ter a botnet is successfully sinkholed, the bots or zom- machines. We analyze longitudinal data from the sink- bies basically remain waiting for the attackers to find hole of Conficker, one the largest botnets ever seen, to as- a way to reconnect to them, update their binaries and sess the impact of what has been emerging as a best prac- move the machines out of the sinkhole. This happens tice: national anti-botnet initiatives that support large- with some regularity. The recent sinkholing attempt of scale cleanup of end user machines.
    [Show full text]
  • Undergraduate Report
    UNDERGRADUATE REPORT Attack Evolution: Identifying Attack Evolution Characteristics to Predict Future Attacks by MaryTheresa Monahan-Pendergast Advisor: UG 2006-6 IINSTITUTE FOR SYSTEMSR RESEARCH ISR develops, applies and teaches advanced methodologies of design and analysis to solve complex, hierarchical, heterogeneous and dynamic problems of engineering technology and systems for industry and government. ISR is a permanent institute of the University of Maryland, within the Glenn L. Martin Institute of Technol- ogy/A. James Clark School of Engineering. It is a National Science Foundation Engineering Research Center. Web site http://www.isr.umd.edu Attack Evolution 1 Attack Evolution: Identifying Attack Evolution Characteristics To Predict Future Attacks MaryTheresa Monahan-Pendergast Dr. Michel Cukier Dr. Linda C. Schmidt Dr. Paige Smith Institute of Systems Research University of Maryland Attack Evolution 2 ABSTRACT Several approaches can be considered to predict the evolution of computer security attacks, such as statistical approaches and “Red Teams.” This research proposes a third and completely novel approach for predicting the evolution of an attack threat. Our goal is to move from the destructive nature and malicious intent associated with an attack to the root of what an attack creation is: having successfully solved a complex problem. By approaching attacks from the perspective of the creator, we will chart the way in which attacks are developed over time and attempt to extract evolutionary patterns. These patterns will eventually
    [Show full text]
  • Jeffrey Heim, Marcel Hernandez, Maria Nunez,& Matthias Katerna Morris Worm on November 2, 1988, Robert Tappan Morris Releas
    Jeffrey Heim, Marcel Hernandez, Maria Nunez,& Matthias Katerna Morris Worm On November 2, 1988, Robert Tappan Morris released a worm into the internet. The experimental worm was the first of its kind. It replicated itself and programmed itself, so it ended up spreading much faster than Morris expected. It self-programmed and self-replicated at an exponential rate in a manner that had never been seen before. Morris knew this worm was not necessarily ethical, for he released it out of MIT instead of his own Cornell University. In due course, many computers across the United States had crashed because of Morris. Once he discovered how much damage the worm had been causing, he reached out to a friend at Harvard looking for a solution to stop it. They attempted in sending an anonymous message to the network with directions that could kill the worm, but the message came through too late since they system was clogged. Many significant computers at colleges, businesses and the military became infected. The cost to fix each computer ranged from $200 to over $53,000. The worm exploited vulnerabilities in computer systems and in the UNIX email software. Within 24 hours of releasing the worm, thousands of people were aware something was unusual. Eventually, it would infect ten percent of all computers using the internet. The Morris Worm was the largest malware case ever to reach this percentage. However, the percentage was so high due to the fact that the number of computers was much less than today. The computers it impacted included significant systems, such as Stanford’s, Berkley’s and NASA’s.
    [Show full text]
  • Lexisnexis® Congressional Copyright 2003 Fdchemedia, Inc. All Rights
    LexisNexis® Congressional Copyright 2003 FDCHeMedia, Inc. All Rights Reserved. Federal Document Clearing House Congressional Testimony September 10, 2003 Wednesday SECTION: CAPITOL HILL HEARING TESTIMONY LENGTH: 4090 words COMMITTEE: HOUSE GOVERNMENT REFORM SUBCOMMITTEE: TECHNOLOGY, INFORMATION POLICY, INTERGOVERNMENTAL RELATIONS, AND CENSUS HEADLINE: COMPUTER VIRUS PROTECTION TESTIMONY-BY: RICHARD PETHIA, DIRECTOR AFFILIATION: CERT COORDINATION CENTER BODY: Statement of Richard Pethia Director, CERT Coordination Center Subcommittee on Technology, Information Policy, Intergovernmental Relations, and the Census Committee on House Government Reform September 10, 2003 Introduction Mr. Chairman and Members of the Subcommittee: My name is Rich Pethia. I am the director of the CERTO Coordination Center (CERT/CC). Thank you for the opportunity to testify on the important issue of cyber security. Today I will discuss viruses and worms and the steps we must take to protect our systems from them. The CERT/CC was formed in 1988 as a direct result of the first Internet worm. It was the first computer security incident to make headline news, serving as a wake-up call for network security. In response, the CERT/CC was established by the Defense Advanced Research Projects Agency at Carnegie Mellon University's Software Engineering Institute, in Pittsburgh. Our mission is to serve as a focal point to help resolve computer security incidents and vulnerabilities, to help others establish incident response capabilities, and to raise awareness of computer security issues and help people understand the steps they need to take to better protect their systems. We activated the center in just two weeks, and we have worked hard to maintain our ability to react quickly.
    [Show full text]
  • Flow-Level Traffic Analysis of the Blaster and Sobig Worm Outbreaks in an Internet Backbone
    Flow-Level Traffic Analysis of the Blaster and Sobig Worm Outbreaks in an Internet Backbone Thomas Dübendorfer, Arno Wagner, Theus Hossmann, Bernhard Plattner ETH Zurich, Switzerland [email protected] DIMVA 2005, Wien, Austria Agenda 1) Introduction 2) Flow-Level Backbone Traffic 3) Network Worm Blaster.A 4) E-Mail Worm Sobig.F 5) Conclusions and Outlook © T. Dübendorfer (2005), TIK/CSG, ETH Zurich -2- 1) Introduction Authors Prof. Dr. Bernhard Plattner Professor, ETH Zurich (since 1988) Head of the Communication Systems Group at the Computer Engineering and Networks Laboratory TIK Prorector of education at ETH Zurich (since 2005) Thomas Dübendorfer Dipl. Informatik-Ing., ETH Zurich, Switzerland (2001) ISC2 CISSP (Certified Information System Security Professional) (2003) PhD student at TIK, ETH Zurich (since 2001) Network security research in the context of the DDoSVax project at ETH Further authors: Arno Wagner, Theus Hossmann © T. Dübendorfer (2005), TIK/CSG, ETH Zurich -3- 1) Introduction Worm Analysis Why analyse Internet worms? • basis for research and development of: • worm detection methods • effective countermeasures • understand network impact of worms Wasn‘t this already done by anti-virus software vendors? • Anti-virus software works with host-centric signatures Research method used 1. Execute worm code in an Internet-like testbed and observe infections 2. Measure packet-level traffic and determine network-centric worm signatures on flow-level 3. Extensive analysis of flow-level traffic of the actual worm outbreaks captured in a Swiss backbone © T. Dübendorfer (2005), TIK/CSG, ETH Zurich -4- 1) Introduction Related Work Internet backbone worm analyses: • Many theoretical worm spreading models and simulations exist (e.g.
    [Show full text]
  • Computer Security CS 426 Lecture 15
    Computer Security CS 426 Lecture 15 Malwares CS426 Fall 2010/Lecture 15 1 Trapdoor • SttitittSecret entry point into a system – Specific user identifier or password that circumvents normal security procedures. • Commonlyyy used by developers – Could be included in a compiler. CS426 Fall 2010/Lecture 15 2 Logic Bomb • Embedded in legitimate programs • Activated when specified conditions met – E.g., presence/absence of some file; Particular date/time or particular user • When triggered, typically damages system – Modify/delete files/disks CS426 Fall 2010/Lecture 15 3 Examppgle of Logic Bomb • In 1982 , the Trans-Siber ian Pipe line inc iden t occurred. A KGB operative was to steal the plans fhititdtltditfor a sophisticated control system and its software from a Canadian firm, for use on their Siberi an pi peli ne. The CIA was tippe d o ff by documents in the Farewell Dossier and had the company itlibbithinsert a logic bomb in the program for sabotage purposes. This eventually resulted in "the most monu mental non-nu clear ex plosion and fire ever seen from space“. CS426 Fall 2010/Lecture 15 4 Trojan Horse • Program with an overt Example: Attacker: (expected) and covert effect Place the following file cp /bin/sh /tmp/.xxsh – Appears normal/expected chmod u+s,o+x /tmp/.xxsh – Covert effect violates security policy rm ./ls • User tricked into executing ls $* Trojan horse as /homes/victim/ls – Expects (and sees) overt behavior – Covert effect performed with • Victim user’s authorization ls CS426 Fall 2010/Lecture 15 5 Virus • Self-replicating
    [Show full text]
  • MODELING the PROPAGATION of WORMS in NETWORKS: a SURVEY 943 in Section 2, Which Set the Stage for Later Sections
    942 IEEE COMMUNICATIONS SURVEYS & TUTORIALS, VOL. 16, NO. 2, SECOND QUARTER 2014 Modeling the Propagation of Worms in Networks: ASurvey Yini Wang, Sheng Wen, Yang Xiang, Senior Member, IEEE, and Wanlei Zhou, Senior Member, IEEE, Abstract—There are the two common means for propagating attacks account for 1/4 of the total threats in 2009 and nearly worms: scanning vulnerable computers in the network and 1/5 of the total threats in 2010. In order to prevent worms from spreading through topological neighbors. Modeling the propa- spreading into a large scale, researchers focus on modeling gation of worms can help us understand how worms spread and devise effective defense strategies. However, most previous their propagation and then, on the basis of it, investigate the researches either focus on their proposed work or pay attention optimized countermeasures. Similar to the research of some to exploring detection and defense system. Few of them gives a nature disasters, like earthquake and tsunami, the modeling comprehensive analysis in modeling the propagation of worms can help us understand and characterize the key properties of which is helpful for developing defense mechanism against their spreading. In this field, it is mandatory to guarantee the worms’ spreading. This paper presents a survey and comparison of worms’ propagation models according to two different spread- accuracy of the modeling before the derived countermeasures ing methods of worms. We first identify worms characteristics can be considered credible. In recent years, although a variety through their spreading behavior, and then classify various of models and algorithms have been proposed for modeling target discover techniques employed by them.
    [Show full text]
  • The Blaster Worm: Then and Now
    Worms The Blaster Worm: Then and Now The Blaster worm of 2003 infected at least 100,000 Microsoft Windows systems and cost millions in damage. In spite of cleanup efforts, an antiworm, and a removal tool from Microsoft, the worm persists. Observing the worm’s activity can provide insight into the evolution of Internet worms. MICHAEL n Wednesday, 16 July 2003, Microsoft and continued to BAILEY, EVAN Security Bulletin MS03-026 (www. infect new hosts COOKE, microsoft.com/security/incident/blast.mspx) more than a year later. By using a wide area network- FARNAM O announced a buffer overrun in the Windows monitoring technique that observes worm infection at- JAHANIAN, AND Remote Procedure Call (RPC) interface that could let tempts, we collected observations of the Blaster worm DAVID WATSON attackers execute arbitrary code. The flaw, which the during its onset in August 2003 and again in August 2004. University of Last Stage of Delirium (LSD) security group initially This let us study worm evolution and provides an excel- Michigan uncovered (http://lsd-pl.net/special.html), affected lent illustration of a worm’s four-phase life cycle, lending many Windows operating system versions, including insight into its latency, growth, decay, and persistence. JOSE NAZARIO NT 4.0, 2000, and XP. Arbor When the vulnerability was disclosed, no known How the Blaster worm attacks Networks public exploit existed, and Microsoft made a patch avail- The initial Blaster variant’s decompiled source code re- able through their Web site. The CERT Coordination veals its unique behavior (http://robertgraham.com/ Center and other security organizations issued advisories journal/030815-blaster.c).
    [Show full text]
  • Code Red Worm Propagation Modeling and Analysis ∗
    Code Red Worm Propagation Modeling and Analysis ∗ Cliff Changchun Zou Weibo Gong Don Towsley Dept. Electrical & Dept. Electrical & Dept. Computer Science Computer Engineering Computer Engineering Univ. Massachusetts Univ. Massachusetts Univ. Massachusetts Amherst, MA Amherst, MA Amherst, MA [email protected] [email protected] [email protected] ABSTRACT the Internet has become a powerful mechanism for propa- The Code Red worm incident of July 2001 has stimulated gating malicious software programs. Worms, defined as au- activities to model and analyze Internet worm propagation. tonomous programs that spread through computer networks In this paper we provide a careful analysis of Code Red prop- by searching, attacking, and infecting remote computers au- agation by accounting for two factors: one is the dynamic tomatically, have been developed for more than 10 years countermeasures taken by ISPs and users; the other is the since the first Morris worm [30]. Today, our computing in- slowed down worm infection rate because Code Red rampant frastructure is more vulnerable than ever before [28]. The propagation caused congestion and troubles to some routers. Code Red worm and Nimda worm incidents of 2001 have Based on the classical epidemic Kermack-Mckendrick model, shown us how vulnerable our networks are and how fast we derive a general Internet worm model called the two- a virulent worm can spread; furthermore, Weaver presented factor worm model. Simulations and numerical solutions some design principles for worms such that they could spread of the two-factor worm model match the observed data of even faster [34]. In order to defend against future worms, we Code Red worm better than previous models do.
    [Show full text]
  • Lesson 6: Hacking Malware
    LESSON 6 HACKING MALWARE Lesson 6: Malware WARNING The Hacker Highschool Project is a learning tool and as with any learning tool there are dangers. Some lessons if abused may result in physical injury. Some additional dangers may also exist where there is not enough research on possible effects of emanations from particular technologies. Students using these lessons should be supervised yet encouraged to learn, try, and do. However ISECOM cannot accept responsibility for how any information herein is abused. The following lessons and workbooks are open and publicly available under the following terms and conditions of ISECOM: All works in the Hacker Highschool Project are provided for non-commercial use with elementary school students, junior high school students, and high school students whether in a public institution, private institution, or a part of home-schooling. These materials may not be reproduced for sale in any form. The provision of any class, course, training, or camp with these materials for which a fee is charged is expressly forbidden without a license including college classes, university classes, trade-school classes, summer or computer camps, and similar. To purchase a license, visit the LICENSE section of the HHS web page at http://www.hackerhighschool.org/licensing.html. The HHS Project is an open community effort and if you find value in this project we ask that you support us through the purchase of a license, a donation, or sponsorship. 2 Lesson 6: Malware Table of Contents WARNING....................................................................................................................................................2
    [Show full text]
  • IBM X-Force Threat Insight Quarterly 2 X-Force Threat Insight Quarterly IBM Security Solutions
    IBM Security Solutions May 2011 IBM X-Force Threat Insight Quarterly 2 X-Force Threat Insight Quarterly IBM Security Solutions Contents About the report 2 About the Report The IBM X-Force® Threat Insight Quarterly is designed to highlight some of the most significant threats and challenges 3 Evolution: From Nuisance to Weapon facing security professionals today. This report is a product of IBM Managed Security Services and the IBM X-Force 8 Prolific and Impacting Issues of Q1 2011 research and development team. Each issue focuses on specific challenges and provides a recap of the most significant recent 16 References online threats. IBM Managed Security Services are designed to help an organization improve its information security, by outsourcing security operations or supplementing your existing security teams. The IBM protection on-demand platform helps deliver Managed Security Services and the expertise, knowledge and infrastructure an organization needs to secure its information assets from Internet attacks. The X-Force team provides the foundation for a preemptive approach to Internet security. The X-Force team is one of the best-known commercial security research groups in the world. This group of security experts researches and evaluates vulnerabilities and security issues, develops assessment and countermeasure technology for IBM security products, and educates the public about emerging Internet threats. We welcome your feedback. Questions or comments regarding the content of this report should be addressed to [email protected]. 3 X-Force Threat Insight Quarterly IBM Security Solutions Evolution: From Nuisance to Weapon One of the more notable examples here is Brain3, a boot sector infector which originated in Pakistan and released in 1986, was Creeper, Wabbit, Animal, Elk Cloner, Brain, Vienna, Lehigh, one of the first examples of malware that infected PC’s running Stoned, Jerusalem.
    [Show full text]
  • Virus Protection: the Triad of Armor — Part I: the Workstation
    BY SCOTT JONES Virus Protection: The Triad of Armor — Part I: The Workstation irus protection and prevention are important tasks for system administrators. This article, the V first in a three-part series, examines how to protect one cornerstone of the IT environment — the workstation — and prevent malicious attacks. Code Red, Klez, oh my! Given the intense computer viruses have to cause damage in order to be NIMDA, level of virus activity in the past few classified as a virus. years, I thought it would be helpful to share some insight There are several different types of viruses, although into virus protection and prevention. This three-part series experts debate some of the classifications. The list includes aptly named “The Triad of Armor,” will examine the three stealth, polymorphic, cavity, and tunneling. Nevertheless, cornerstones of virus protection: the workstation, server and these viruses fit the basic description, even though they may email gateway. perform additional operations. A computer worm, much like a virus, can also replicate HISTORY functional copies of itself, but unlike a virus, worms are usually self-contained programs or sets of programs, and do There is some debate as to what the first computer virus not need to attach themselves to a host program. Worms are was. Some say it was the “Brain” virus written in 1986. usually designed to replicate across computer networks. However, in 1981, there were accounts of viruses infecting You can compare the Trojan Horse to the one used in Apple II operating systems. It is not my intent to argue what the battle of Troy — something that looks harmless but the first true computer virus was, but to merely note that has other intentions.
    [Show full text]